From adc3a218636e836988105f31872b139d88c5bcc1 Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Mon, 12 Sep 2022 12:28:42 -0700
Subject: [PATCH] fix: add 'unsafe-inline' to script-src CSP

swagger-ui uses inline javascript to bootstrap itself, so we need to
allow unsafe inline because we can't give swagger-ui a nonce to embed.

Signed-off-by: Kevin Morris <kevr@0cost.org>
---
 aurweb/asgi.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/aurweb/asgi.py b/aurweb/asgi.py
index d1703c10..72b47b4c 100644
--- a/aurweb/asgi.py
+++ b/aurweb/asgi.py
@@ -256,7 +256,9 @@ async def add_security_headers(request: Request, call_next: typing.Callable):
 
     # swagger-ui needs access to cdn.jsdelivr.net javascript
     script_hosts = ["cdn.jsdelivr.net"]
-    csp += f"script-src 'self' 'nonce-{nonce}' " + " ".join(script_hosts)
+    csp += f"script-src 'self' 'unsafe-inline' 'nonce-{nonce}' " + " ".join(
+        script_hosts
+    )
 
     # swagger-ui needs access to cdn.jsdelivr.net css
     css_hosts = ["cdn.jsdelivr.net"]